JP5025402B2 - High safety control device - Google Patents

Description

  The present invention relates to a high safety control device mainly applied to a railroad control safety device (electronic interlocking device, ATC control device).

  Railway safety devices (electronic interlocking devices, ATC control devices) use train circuits (rails) and loop coils to detect trains, implement traffic lights and switch control in response to route requests from the host system, trains This system ensures safe operation by preventing derailments and collisions. Therefore, it is a system that requires high safety, and must be a fail-safe and highly safe system.

  For this reason, control devices using relays have been used in the past, focusing on the asymmetry of the failure, but in recent years they have been controlled by electronic devices and software using highly integrated and accelerated microelectronics technology. Control devices that ensure safety by multiplexing these devices have been used. In multiplexing, a double system or a triple system is usually employed.

  FIG. 5 shows the configuration of the triple system disclosed in Patent Document 1. In this configuration, since a general-purpose computer can be used for each system unit, it is a highly reliable and high-performance control device, but the amount of hardware is increased compared to the dual system configuration.

FIG. 6 shows the configuration of the bus collation processing device disclosed in Patent Document 2. This figure shows a method of ensuring the safety of the output of the control device by comparing and comparing the buses of the processing device constituted by the processor memory, and the processing result of the control device is highly safe. In order to increase the reliability of the apparatus, another control apparatus having the same configuration as that shown in the figure is mounted and operated as a dual system configuration. In this method, because of the dual system configuration, the amount of material can be reduced as compared with the control device of the triple system configuration described above, but in the control device per system, the processing devices such as the processor and the memory are duplicated. It is hardware specialized for high-safety control equipment, and the equipment cost and development cost are higher than general-purpose products, and the speed and high integration of processors, memories, etc. with the progress of semiconductor technology Even if implemented, it is not easy to switch to these new technologies.
JP-A-4-307633 JP-A-7-302207

  As described above, the conventional railway security device has a triple configuration of a general-purpose control device or a dual configuration of a high safety control device. In the case of the triple system configuration of the general-purpose control device, there is a problem that the amount of the entire control device becomes large. In the case of the dual system configuration of the high safety control device, a high safety CPU board with a dual processor is installed on the railway. Since it becomes a system-dedicated product, a CPU board must be developed each time an attempt is made to improve the function of the control device using the performance improvement of a semiconductor integrated device such as a CPU. There was a problem that the cost would be high.

  An object of the present invention is to provide a highly safe control device that solves such problems.

  The highly safe control device of the present invention includes two general-purpose CPU boards having at least two transmission means, an architecture capable of performing calculations with high safety, and a general-purpose external bus. A high safety control device having at least one high safety board and at least one general purpose communication board controlled by a general purpose external bus provided in the high safety board, wherein the two CPU boards are provided in each It is possible to communicate with each other by only one transmission means, and also to communicate with the high safety board by another transmission means provided for each.

  At this time, the two CPU boards exchanged the control output data, the control input data, and the pseudo control data with each other by means of the transmission means, compared and collated, and detected a mismatch between the control output data and the control input data. In such a case, a predetermined abnormality process is performed on the assumption that an error has occurred in the data. When the coincidence of the pseudo control data is detected, a predetermined abnormality process is performed on the assumption that an error of the pseudo control data or an error of the arithmetic processing function of the CPU has occurred.

  Further, the comparison / collation result of control input data, control output data, and pseudo control data of both CPU boards is transmitted to the high safety board by the transmission means possessed by each CPU, and received from each CPU by the high safety board. Each comparison result is compared and verified, and when a mismatch is detected, a predetermined abnormality process is performed. Then, another set of high-safety control devices with the same configuration is provided as a dual system configuration, and even if one of the control devices fails, the control operation is continued and the system is not brought down. Transmission means for matching control data between the control devices.

  On the other hand, transmission / reception control of control output data, control input data, and transmission data between duplex control devices is performed by a communication board connected to the general-purpose bus of the high safety board. These communication data are obtained by adding a check code, a transmission / reception address, and periodically updated serial number data for error detection.

  Since the high safety control device according to the present invention is a dual system device, the amount of material is smaller than that of a triple system device. In addition, a general-purpose CPU board is adopted, and if the technological innovation of the semiconductor integrated circuit advances and the performance of the CPU improves, it is easy to upgrade the function of the CPU board replacement / control device at a low cost.

  In addition, the high safety control device according to the present invention has a double system configuration for high reliability, and the amount of material is smaller than that of the triple system configuration. Also, two general-purpose CPU boards having at least two transmission means, one high-safety board having an architecture capable of performing calculations with high safety and having a general-purpose bus, By mounting at least one general-purpose communication board controlled by the general-purpose bus provided in the high-safety board, the high-safety CPU board used in the conventional dual system control device can be eliminated and a high-performance CPU board can be used. Therefore, the performance of the control device can be improved and the control operation can be made highly safe. Further, when the performance of the CPU board is improved by technical innovation, the performance of the control device can be easily improved by replacing only the CPU board.

  Hereinafter, specific embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows a railway security system (integrated electronic interlocking and ATC) using a control device of the present invention. 11A and 11B are dual logic units using the control device of the present invention, 10A is a dual backbone LAN, 12 and 13 are transmission control units, 10B is a dual branch LAN, and 14 is a track circuit. A TD / ATC device 15 that transmits and receives TD (train detection signal) and ATC (train control signal), and 15 is an electronic terminal that performs display / drive control of traffic lights and switches.

The operation of this system will be described below.
First, in the logic units 11A and 11B, requested route information and the like are input from a host device (not shown), a control calculation related to train security is performed, and control output data as the calculation result is output to the backbone LAN 10A. The transmission control units 12 and 13 receive this control data and send it to a predetermined TD / ATC device 14 or electronic terminal 15 via the branch LAN 10B. In the TD / ATC device, a TD signal and an ATC signal are output to the track circuit (rail) via the matching transformer 16 according to an instruction of control data. On the other hand, in the electronic terminal, similarly, the traffic light is set to a predetermined display by the instruction of the control data, and the conversion control of the switch is performed.

  On the other hand, the control results of the TD / ATC device and the electronic terminal (train presence line status by TD, current signal status, switch change status, etc.) are displayed as display data in the logic unit 11A in the reverse order to the above sequence. , 11B. The logic unit reflects the input display data in the control calculation in the next control cycle.

  Since these operations are directly related to the safe operation of the train, they need to be made highly safe, and if any failure occurs in the middle, be sure to check the safety side (in this case, There is a need for a fail-safe concept of being controlled by collision and capsizing.

  In this system, the operation of the logic unit and the output of the control data must be made highly safe and fail-safe, and the control output of the TD / ATC device and the electronic terminal, which are subordinate devices, are also highly safe and fail-safe. Need to be done.

  Here, the control device of the present invention is applied to the logic units 11A and 11B. This detailed configuration is shown in FIG.

  21A and 21B are CPU boards that perform the main control calculations of the railway security system, 22 is an FS board that guarantees that its calculation results are extremely safe, and 23 is a communication board that performs data transmission / reception control with the backbone LAN. is there. The configuration / operation of FIG. 2 will be described below.

  The CPU boards of 21A and 21B can communicate with each other by the transmission means 24. Further, communication with the FS board is also possible by the transmission means 25A and 25B. The FS board 22 and the communication board 23 can communicate with each other via a bus 26.

  First, an instruction for synchronization is issued from the FS board 22 to the two CPU boards 21A and 21B by the transmission means 25A and 25B. On the CPU board side, when this command is received, the start of the control cycle is recognized. Next, in the CPU boards 21A and 21B, route information related to the control is input from a higher-level device (not shown), and display data from a lower-level device (TD / ATC device, electronic terminal) input in the previous control cycle is used as a basis. The control cycle is calculated. At this time, there should be no error in the calculation result due to occurrence of hardware failure such as garbled memory data or register failure in the CPU board.

  Therefore, the arithmetic processing is divided into predetermined steps, and the mid-computation data output at each step is exchanged between the CPU boards 21A and 21B via the transmission path 24. After the exchange, when comparing the own calculation result data with the calculation result data input from the counterpart CPU board, and sending the comparison result to the FS board 22 via the transmission paths 25A and 25B, and detecting a mismatch A predetermined abnormality process is performed.

  Also in the FS board 22, when the two comparison results received from the CPU boards do not match or both do not match, a predetermined abnormality process is performed.

  When the control calculation outputs the final result safely, this calculation data is also exchanged between the CPU boards of 21A and 21B via the transmission line 24. After the exchange, the data of itself and the other party are compared, the comparison result is transmitted to the FS board 22 via the transmission lines 25A and 25B, and a predetermined abnormality process is performed when a mismatch is detected.

  When the control result is derived without performing abnormality detection through the above processing, the CPUs 21A and 21B transmit control output data to the FS board 22 via the transmission paths 25A and 25B. The FS board transfers both received data or one of the predetermined data as output data of the control device to the communication board 23 via the 26 bus. The communication board 23 edits data input from the bus 26 according to a predetermined transmission protocol, and then outputs the data to the backbone LAN.

  Next, when the display data sent from the 14 TD / ATC and 15 electronic terminals is received by the 23 communication boards, they are transferred to the FS board 22 via the bus 26. The FS board 22 transfers the received data to the CPU boards 21A and 21B via the transmission paths 25A and 25B. Each CPU board exchanges the received data with the counterpart CPU board via the transmission path 24. After the exchange, the data of itself and the other party are compared, the comparison result is transmitted to the FS board 22 via the transmission lines 25A and 25B, and a predetermined abnormality process is performed when a mismatch is detected. If no mismatch is detected, a predetermined calculation process is performed based on the received data in each CPU board.

  Next, the CPU boards 21 </ b> A and 21 </ b> B exchange simulated control data via the transmission path 24. This data is calculated by a predetermined calculation by each CPU board, and is intentionally composed of different data between the two CPU boards. This is to check that the data comparison processing of both CPU boards themselves is sound. After exchanging this data, both CPU boards perform comparison processing between themselves and the other party's data. If detected, both CPU boards are considered normal. Both CPU boards also transmit the comparison result of this data to the 22 FS boards via the transmission lines 25A and 25B. In the FS board, when the two comparison results received from each CPU board do not match or both match. If so, predetermined abnormality processing is performed.

  The above operation sequence is shown in the flowchart of FIG. This control device performs a periodic operation with the flow of FIG. 3 as one cycle.

  Next, a transmission format of input / output data from the control apparatus to the backbone LAN will be described. FIG. 4 shows the input / output data format. The format fields are as follows.

(A) Address: data source / destination address (b) Control unit: data function, serial number (c) data:
(D) CRC: Cyclic redundant code

  In a highly secure device that performs control by data transmission, it is fatal to perform control based on erroneous transmission / reception data. The above data structure is for preventing this from occurring.

  The address (a) specifies the transmission source and destination of transmission data, and prevents transmission data from being transmitted to an unintended control device and erroneously controlled. The control unit (b) includes a serial number that is updated every control cycle, and by checking this data at the receiving destination, it is guaranteed that the information is always the latest. The CRC in (d) is a redundant code generated by a predetermined operation, and is detected by a verification process at the receiving destination when a bit error occurs in (a), (b), (c), and (d). I can do it. By generating and checking / verifying this data with a highly secure device, highly secure control is possible even if data errors occur due to noise application in transmission paths (cables, connectors, etc.) that are not guaranteed to be safe. Is possible.

  Further, this control device has a dual system configuration with another identical hardware configuration, and normally operates with either device (system) as the primary system and the other side as the secondary system. The two apparatuses communicate via the transmission line 10C in FIG. 1, and data such as the control output / control state of the main system is transmitted to the sub system so as to match the states. This is to prevent control stagnation if an abnormality occurs in the main system and the previous subordinate system continues to operate as a new main system due to the system change. The inter-system transmission is performed after data comparison by each CPU board and data comparison by the FS board, similarly to data input / output with the backbone LAN.

  As described above, the data transmission operation and the data reception operation of the present control device can be performed with high safety, and the function as the control device of the railway security device can be achieved.

FIG. 1 shows a railway security system using a control device according to the present invention. FIG. 2 shows a control device of the present invention. FIG. 3 is an operation flowchart of each board of the control device of the present invention. FIG. 4 is a basic LAN data format of the control apparatus of the present invention. FIG. 5 shows a conventional triple control system. FIG. 6 shows a conventional dual system control apparatus.

Explanation of symbols

10A backbone LAN
10B Branch LAN
10C Inter-system LAN
11A control device 11B control device 12 transmission control device 13 transmission control device 14 TD / ATC device 15 electronic terminal 21A CPU board 21B CPU board 22 FS board 23 communication board 24 transmission path 25A transmission path 25B transmission path 26 bus

Claims (5)

And two general-purpose CPU board with at least two transmission means, and a high safety board one having a and a general-purpose external bus architecture operations can real Hodokosuru, the high safety board Equipped with at least one general-purpose communication board controlled by a general-purpose external bus included in the computer and connected to the backbone LAN, the two CPU boards being capable of communicating with each other by one transmission means provided for each, In the high safety control device capable of communicating with the high safety board by another transmission means provided for each,
The two CPU boards exchange control output data, control input data, and pseudo control data created so as to be inconsistent between the two CPU boards with each other's transmission means, and perform comparison / collation. The verification result is transmitted to the high safety board by the transmission means possessed by each CPU, and when the mismatch is detected in the control output data and the control input data, and the pseudo control data is matched in either CPU board When a failure is detected, the specified abnormality process is performed,
The high safety board performs comparison / collation of each collation result received from each CPU board, and if the two comparison results received from each CPU board do not match for the control output data and control input data, or both are compared If there is a mismatch , perform a predetermined abnormality process , and for the pseudo control data , if the two comparison results received from each CPU board do not match, or if both are a comparison match , Carry out prescribed abnormality processing,
When a control result is derived without performing abnormality detection through the above processing, the control output data is transferred to the general-purpose communication board, and the general-purpose communication board edits the control output data according to a predetermined transmission protocol. A high safety control device that outputs to the backbone LAN. 2. The high safety control device according to claim 1, wherein another set of high safety control devices having the same configuration is provided as a dual system configuration, and the control operation is continued even when a failure occurs in one of the control devices. A highly safe control device characterized by preventing the system from going down . In high safety control device according to claim 2, high safety controller, characterized in that it have a transmission means for matching of control data to each system between high safety control apparatus of the dual system. In the high safety control device according to claim 1, transmission / reception control of transmission data between dual system control devices having transmission means for matching control output data, control input data and control data in each system, A high safety control device, which is performed by a communication board connected to a general-purpose bus of the high safety board . The high safety control device according to claim 1, wherein transmission data between the dual control devices having transmission means for matching the control output data, the control input data, and the control data in each system is a frame error detection. A high safety control device comprising a check code, a transmission / reception address, and serial number data periodically updated .

Images